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We propose a framework for reasoning about programs that manipulate coinductive data as well 
as inductive data. Our approach is based on using equational programs, which support a seamless 
combination of computation and reasoning, and using productivity (fairness) as the fundamental 
assertion, rather than bi-simulation. The latter is expressible in terms of the former. 

As an application to this framework, we give an implicit characterization of corecurrence: a 
function is definable using corecurrence iff its productivity is provable using coinduction for formulas 
in which data-predicates do not occur negatively. This is an analog, albeit in weaker form, of a 
characterization of recurrence (i.e. primitive recursion) in [ 13 1. 

1 Introduction 

Coinductive data has been recognized for nearly two decades as a powerful framework for dealing with 
infinite objects of evolving and computational nature, such as streams, and — more generally — the 
behavior of unbounded processes and dynamic systems. 

We consider computation over "data-systems", in which data-types may be defined both inductively 
and co-inductively. As our main computation model we use equational programs, since these have im- 
mediate kinship with formal theories: a program's equations can be viewed as axioms, and computations 
are simply derivations in equational logic. In the first part of this paper we develop some building blocks 
for this project. We consider the global semantics of programs P over a data-system, that is their behavior 
as "uninterpreted programs" over all structures for the vocabulary of the data-system. This approach was 
developed for inductive data in [ 12]; here we extend it to data-systems in general, including coinductive 
constructions. It is orthogonal to category theoretical methods in the study of coinduction, which seek to 
characterize the intended (canonical) model. 

An important benefit of streamlined proof systems for reasoning about programs is their use for 
characterizing major computational complexity classes. Such characterizations fall within the realm of 
implicit computational complexity, where one delineates complexity classes without reference to compu- 
tational resources such as time and space. In particular, there are illuminating characterizations of com- 
plexity classes in terms of the strength of proof methods needed to prove termination (see e.g. ll3l lT0l[T3l ). 
Such results lend insight into the significance of complexity classes, provide natural frameworks for 
programming within given complexity boundaries, and yield static analysis tools for guaranteeing com- 
plexity. Implicit characterizations have further potential benefit for coinductive data, because they might 
clarify complexity notions that are dual to traditional notions of computational complexity such as Poly- 
nomial Time. 

The primitive recursive functions over the set N of natural numbers were characterized proof theo- 
retically already by Parsons lfl8l . who proved that a function is primitive recursive iff it is provable in 
Peano's Arithmetic with induction restricted to existential formulas. 
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In lfTTl[T2l we developed intrinsic theories, a generic framework for reasoning about equational com- 
puting over inductive data, and in lfl3ll we used it to characterize the primitive recursive functions in terms 
of induction for a particular class of formulas. Call a formula unipolar if it does not use data-predicates 
(i.e. references to data) in both positive and negative position; an example are the positive formulas, in 
which data-predicates do not occur in a negative position. In lfl3l we proved that a computable function 
is primitive recursive iff it is provably correct in the intrinsic theory for N with induction restricted to 
unipolar formulas. In fact we proved more. The forward implication can refer to a very weak formalism, 
namely, every primitive recursive function is provable, using minimal logic, by induction for formulas 
in which data-predicates appear only strictly-positivelyQ On the other hand, for the backwards implica- 
tion we proved that if a computable function is provable, using classical logic, by induction on unipolar 
formulas, then it is primitive recursive. 

We establish here a dual characterization for coinductive data, but where both implication refer to a 
weak deductive calculus: a computable function over boolean streams is primitive corecursive (i.e. defin- 
able using explicit definitions and corecurrence) iff it is provable using minimal logic, by coinduction for 
formulas built from only conjunction, disjunction, and existential quantification. At present we do not 
know whether this result can be strengthen to show that every equational program over streams which is 
provable, using classical logic and unipolar coinduction is primitive-corecursive. 



2 Equational programs over data systems 
2.1 Equational programs 

We describe a generic framework for data-types that are defined using induction, coinduction, or a mix 
thereof. Such frameworks are well-known for typed lambda calculi, with operators pL for smallest fixpoint 
and v for greatest fixpoint. Our present approach is to express computational behavior of programs via 
global semantics, thereby dispensing with partial functions; and to define types semantically, via first 
order axiomatics, dispensing with explicit fixpoint operators. 

A constructor-vocabulary is a finite set ^ of function identifiers, referred to as constructors, each 
assigned an arity > (as usual, constructors of arity are object-identifiers). We posit an infinite set 
3C of variables, and an infinite set & of function-identifiers, dubbed program-functions, and assigned 
arities > as well. The sets c €, 5E and & are, of course, disjoint. 

If £ is a set consisting of function-identifiers and (possibly) variables, we write $ for the set of terms 
containing $ and closed under application: if g 6 $ is a function-identifier of arity r, and t\...t r are 
terms, then so is gt\ ■■■ t r . We use informally the parenthesized notation g(h,. . . ,t r ), when convenient!! 
We refer to elements of , U SE and *jf U BE U & as data-terms, base-terms, and program-terms, 
respectively!! 

As in iPTTl [T2l . we use an equational computation model, in the style of Herbrand-Godel, famil- 
iar from the extensive literature on algebraic semantics of programs. There are easy inter-translations 
between equational programs and program-terms such as those of FLRo Ifl4l . We prefer to focus on 
equational programs because they integrate easily into logical calculi, and are naturally construed as 
mathematical theories (with each equation as an axiom). Codifying equations by terms is, in fact, a 



'Recall that (p is a strictly-positive subformula of iff if <p is not in the scope of a negation or the negative scope of an 
implication. 

2 In particular, when g is of arity 0, it is itself a term, whereas with parentheses we have g() (with r — arguments) as a term. 
3 Data- terms are often referred to as values, and base-terms as patterns. 
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conceptual detour, since the computational behavior of such terms is itself spelled out using equations or 
rewrite-rules. 

A program-equation is an equation of the form f (ti . . . t^) = q, where f is a program-function of arity 
k > 0, ti ...tfc are base-terms, and q is a program-term. The left-hand side of a program equation is its 
definiendum. Two program-equations are compatible if their definiendums cannot be unified. A program- 
body is a finite set of pairwise-compatible program-equations. A program (P, f) (of arity k) consists of 
a program-body P and a program-function f (of arity k) dubbed the program's principal-function. We 
identify each program with its program-body when in no danger of confusion. 

We posit that every program over a given constructor-vocabulary has equations for destructors, as 
well as a discriminator. That is, if the given vocabulary's constructors are ci . . . with m the maximal 
arity, then the program-functions include the unary identifiers 7tj M (i = l..m) and 8k, and the program 
contains the equations (for c an r-ary constructor) 



Thus 8k is a definition-by-cases operation, depending on the main constructor of the first argument. We 
call a composition of n destructors (n > 0) a deep destructor. 

It is easy to define the denotational semantics of an equational program for the canonical interpreta- 
tion of inductive data. If (P, f ) is a program for a unary function over N, say, then it computes the partial 
function / : N — N where f(p) = q just in case the equation f (p) = q is derivable from P in equational 
logic. (We write n for the ra'fh numeral, i.e. the data-term ss • • • sO with n s's. 

The partiality of computable functions is most commonly addressed by either allowing partial struc- 
tures |9l CD [m, or by referring to domains, in which an object _L denotes divergence. Yet another 
approach, adopted here, is based on the "global" behavior of programs in all (usual, non-partial) struc- 
tures. For example, consider the program P over the constructors 0,s consisting of the two equation^] 
f (0) = and f (ssx) = f (sssx). Thus P provides no instructions for input 1, and diverges for input > 2. 
The latter conditions are captured by the statement that there are structures which model the equations 
P, and where the terms f (sO) and f (ssO) are not equal to any numeral. 

2.2 Global semantics 

The concept of global relations, which was present implicitly in mathematical logic for long, came to 
prominence in Finite Model Theory in the 1980s. Let ^ be a collection of structures. A global relation 
(of arity r) over ^ is a mapping that assigns to each structure y in ^€ an r-ary relation over the 
universe \5?\ of 5? . For example, if ^ is the collection of all structures over a given vocabulary V, then a 
first-order V-formula (p, with free variables among x\ . . .x r , defines the predicate Xx\ ■ ..x r (p that to each 
V-structure 5? assigns the relations 



The notion that a formula delineates uniformly subsets of structures is implicit in l24ll and Q. Alterna- 
tive phrases used include generalized relations, data base queries, global relations, global predicates, 
uniformly defined relations, predicates over oracles, and predicates^) 

4 We omit some parentheses for readability. 



7ti,m (c(xi , . . . , Xr) 
rc»>(c(*i,. •-,*#■)) 

8 k (ci(t),xi,...,Xk) 



Xi (i = l..i 

c(xi,...,x r ) (i = r+ 

Xi i= l.-k 




{{a\ ...a r ) \ y , [x := a] \= q>} 
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A global r-ary function over 'tf is defined analogously. For example, each typed A -term of type o— >-o, 
with identifiers in V as primitives, defines a global function over the class of V-structures. E.g., if c, f and 
g are ^-identifiers for functions of arity 0,1 and 2 respectively, then the term Xx,i ,X2 g(f (xi),g(x2, c)) 
defines the global function that to each V-structure 5? assigns the mapping (xi,xz) h4 g(/(*i),g(.X2,c))> 
where c,/ and g are the interpretations in of the identifiers c,f and g. 

The starting point of Descriptive Computational Complexity Q is that programs used as acceptors 
define global relations. When those global relations can be defined also by certain logical formulas, one 
obtains machine-independent characterizations of computational complexity classes. For instance, Fagin 
[6] and Jones & Selman [8] proved that a predicate & over finite structures is defined by a program 
running in nondeterministic polynomial time (NP) iff it is defined by a purely existential second order 
formula. 

Programs of arity can be used to define objects. For example, the singleton program T consisting of 
the equation t = sssO defines 3, in the sense that in every model 5? of T (over a vocabulary with t as an 
identifier), the interpretation of the identifier t is the same as that of the numeral for 3. Consider instead 
a 0-ary program defining an infinite term (i.e. essentially a stream), for instance the singleton program / 
consisting of ind = s(ind). This does not have any solution in the free algebra of the unary numerals, 
that is: the free algebra cannot be expanded into the richer vocabulary with ind as a new identifier, so as 
to satisfy the equation /H But / is modeled in any structure where s is interpreted as identity, and ind 
as any structure element. Thus the interpretation of ind is not unique. For a more interesting example, 
consider the structure consisting of countable ordinals, with s interpreted as the function Xx.l +x. Then 
/ holds whenever ind is interpreted as an infinite ordinal. 

It follows that in our context bi-simulation, while guaranteeing true equality for the canonical model, 
implies in general only equivalent computational behavior. Indeed, in the global semantic context bi- 
simulation is not a sound inference rule, since for example two distinct objects can unfold to exactly the 
same stream of digits (i.e. be observationally equivalent). However, bi-simulation leads to an equivalence 
relation, which can be captured by a function bsm. Consider the program consisting of the two equations 
b(0 : x,0 : y) = : h(x,y) and b(l ;x, 1 : y) = 1 : b(x,y). If P also defines constant identifiers a and b as 
some streams, then we have P \= 5(a) A 5(b) — > 5(b(a,b)) just in case there is a bi-simulation between 
the streams denoted by a and b, i.e. they are equal as elements of the coalgebra of boolean streams. If the 
equality a = b is provable using the traditional coinduction rule for bi-simulation then the implication 
(P) —¥ 5(b(a,b)) is provable in our deductive calculus below. Thus our framework supports all common 
forms of reasoning about coinductive data. 

2.3 Semantics of programs 

The global semantic approach to equational programs, considered for inductive data in fl2|. is of interest 
as an alternative alternative to the "canonical-structure" approach. Under the global semantics approach 
the notion of correctness of programs is simple, direct, and informative. Here a program over inductive 
data is said to be correct if it maps, in every structure, inductive data to inductive data. This turns out 
to be equivalent to the program termination (for all input) in the intended structure (e.g. N when the 
constructors are and s). For programs over co-inductive data, which we address here, correctness will 
turn out to be equivalent to productivity (sometimes dubbed fairness): if the input is a stream, then the 
program will have a stream as output, without stalling. 

The semantics of equational programs for inductive data, such as the natural numbers, is straightfor- 



5 As usual, when a structure is an expansion of another they have the same universe. 
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ward. Given a structure 3* (for a vocabulary including the constructors in hand), a program (P, f ) (unary 
say) computes the partial function g : N — ^ N given by: g(n) = m iff P h f (n) = m, i.e. the equation is 
deducible from P in equational logic. (We write n for the n'th unary numeral (0).) 

Let y be a structure whose vocabulary contains at least the constructors in hand. Consider fresh 
0-ary identifiers v a , one for each a G |^| (i.e. element of the universe of 3). In keeping with the 
terminology of Model Theory, we define the diagram of 5? to be the theorjl^ 

Diag(^) = {v„ = c(v/„ ■■■v br ) | 

a = cy(b\ ■ ■ - b r ) c an r-ary constructor } 

In the presence of coinductive data-types, data may be infinite, and so the operational semantics of 
equational programs must compute the output piecemeal from finite information about the input. If Y 
is any set of equations, and t and t' are terms, we write T \- m t = t' if for all deep-destructors IT we 
have (in equational logic) T, Diag h 5((IT(t),x) = 5((n(t')). That is, one can establish equationally the 
observational equivalence of t and t', i.e. the stepwise equality of finite approximations of the two terms. 

If t' is a data term, then T \- m t = t' is clearly equivalent (by discourse-level induction on |t'|) to 
r, Diag h t = t'. 

We say that a k-wy program (P, f ) computes over 3 the partial-function 
/ : — 1 \3\ when for every a,b £ \y \ we have f(a) = b just in case PU~Dmg(y) \- m f (v fl ) = vj. 

Examples. Consider as constructors two unary functions ("successors") and 1. Let 5? be the structure 
of the ft)-words over {0, 1}, with the obvious interpretation of the constructors. Writing a for (01) ffl and 
b for (lO) 68 , the diagram of 3 includes the equations v a = Ov^, and v\, = lv a . In this simple case these 
equations could be used to define a and b, but if c and d are the binary expansions of n/4 and [% — 2) /2, 
then the equation v c = lv c / is also in the diagram, with not much to say about what c and d really are. 

The unary program consisting of the two equations f (Ow) = 1 f (w), f (lw) = Of (w) defines the func- 
tion ./ftp : \y \ -4 We have^p((01) ffl ) = (lO) 05 , because we can easily see that 

P, v a = 0v h , v b = lv fl \- w flip{v a ) = v b 

We also have for e = the digitwise flip of c above that 

P, Diag(j^) h m flip(c)=e 

However, as we take deeper destructors for the two terms, the equational proof needed here will use 
increasingly large (albeit finite) portions of Diag (3). 

2.4 Data systems 

So far we have considered abstract structures, with no a priori restriction on the behavior of constructor- 
identifiers. We now proceed to define data-types, needed to reflect the intended computational behavior 
of programs. We use reserved relation-identifiers (i.e. predicate symbols) for data-types, and convey 
their defining properties by axioms (closure conditions) rather than via /J. and v fixpoint operators. This 
allows us to incorporate data types seamlessly into the (first order) deductive machinery. 

Descriptive and deductive tools for inductive and coinductive data are not new, of course. For in- 
stance, the Common Algebraic Specification Language CASL has been used as a unifying standard in 



6 We write cy for the interpretation of the identifier c in the structure ,y. 
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the algebraic specification community, and extended to coalgebraic data |20ll2Tl|T5ll22l . Several frame- 
works combining inductive and coinductive data, such as ifTTIl . strive to be comprehensive, including 
various syntactic distinctions and categories, whereas our approach is minimalist. Such minimalism is 
made possible by combining the global semantic approach with a semantic (i.e. Curry-style) view of 
types, by which types indicate semantic properties of pre-existing objects, as opposed to the ontological 
(Church-style) view, by which types precede objects, with each object coming with a pre-assigned type. 

Let ^ = {ci, . . . ,Cjt} be a set of constructors as above, where c, is of arity r,- = arity (c,-). A data- 
system over "jf consists of 

1. A list D\...Dk (the order matters) of unary relation-identifiers, where each D n is designated as 
either an inductive-predicate or a coinductive-predicate, and associated a set ^„ C *jf of construc- 
tors. 

2. For each constructor c, of arity r say, a non-empty finite set of functional types z, each of the form 
Ei X • • ■ X E r — > Eq, where each E[ is one of the D/s. Here we require that no Ei comes after E<$ in 
the given listing of the predicates D,. We say then that c has type T. 

The data-systems defined above do not accommodate simultaneous inductive or coinductive definitions, 
but a straightforward generalization does. 

Example. Let ^ consist of the identifiers 0,l,[],s,t, and c, of arities 0,0,0,1,1, and 2, respectively. 
Consider the following (ordered) list of predicates: inductive predicate B (for booleans) and N (natural 
numbers), coinductive predicates / (infinite s/t-words) and S (streams of natural numbers), and an 
inductive predicate L (lists of such streams). 

The association of types to constructors is as follows. 

:B 0:N 

1:B 

[]:L 

s:N^N s:J^J 
t : J->J 
c:NxS^S 
c : 5 x L— 

Note that constructors are being reused for different data-types. This is in agreement with our un- 
typed, generic approach, where the intended type information is conveyed by the data-predicates. In other 
words, data-types are explicitly conveyed in the formalism's syntax as semantic (Curry style) rather than 
onthological (Church style) properties. □ 

The canonical model = of a data-system Q consists of interpretations JD W J (n = \..k) of 
the data-predicates as sets of finite and infinite terms, obtained by discourse-level recurrence, as follows. 
If D n is inductive, then \D n \ is the set of terms obtained from \D\\ . . . [[Ai-il by a finite number of 
application of the constructors in dually, if D n is coinductive, then \D n \ is the set of finite and 
infinite terms obtained from JDJ ... [D„_i]] by such applications. These terms are trees labeled by 
constructors, where any node labeled by a constructor of arity r has r children. Note that if the (non- 
empty) set of constructors associated with D n has no 0-ary constructors, then for an inductive D n the 
set [[D„J is empty, whereas for a coinductive D n it is a nonempty set of infinite terms. 

2.5 Adequacy of Global semantics 
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Herbrand famously proposed to define the computable functions (over N) as those that are unique 
solutions of equational programs. That definition yields in fact all the hyper-arithmetical functions, a far 
larger class. But Herbrand was not far off: he only needed to adopt a global approach, rather than restrict 
attention to the standard structure of the natural numbers. Indeed, in fill we observed the following. We 
say that a structure is data-correct for N if it interprets the identifier N as the set of numeral denotations. 

Theorem 1 (Semantic Adequacy Theorem for Inductive Data) An equational program (P,f) over N 
computes a total function iff the formula N(je) — > N(f (x)) is true in every model ofP which is data-correct 
forN. 

The proof in lfl2l of the nontrivial direction of Theorem Q] proceeds by constructing a "test-model" 
for the program P. One starts with an extended term model, using the program-functions in P as well the 
constructors, and takes the quotient of that term model over the equivalence relation of equality-derived- 
from P. 

3 Intrinsic Theories 

Intrinsic theories, introduced in lfPTl[T2l for inductive data, are skeletal first-order theories whose interest 
lies in a natural and streamlined formalization of reasoning about equational computing. For example, 
the intrinsic theory for the natural numbers is suited for incorporating equational programs as axioms, 
and while it has the same provably computable functions as Peano's Arithmetic, it has a more immediate 
formalization of the notion of provable computability. For background, rationale, and examples, we refer 
to U2. 

The intrinsic theory for a data-system <3, IT(f^), has 

• The rules of Q); 

• Injectiveness axioms stating that the constructors are injective, i.e. for each c G c tf, of arity r, 

V*i . ..x r , y\ ■ ■ -y r c(x) = c(y) ->■ f\ x t = y t 

i 

• Separation axioms stating that the constructors have disjoint images: 

Vx, y cx^dy 

for each distinct constructors c,d; and 

• For each constructor c, and type E\ x • • • x E r — > Eo for c, with Eq an inductive predicate, the 
corresponding clause in the inductive definition of Eq. That is, the data-introduction rule 

Ei(xi) ■■■ E r {x r ) 

Eq(cX\ ■•■X r ) 

These rules delineate the intended meaning of Eq from below. 

• For each constructor c, and type £i X ■ ■ ■ X E r — >■ Eq for c, with Eq a co-inductive predicate, the 
corresponding clause in the co-inductive definition of Eq. That is, the data-elimination rule 

E Q (cxi---x r ) 

Ei{xi) 

These rules delineate the intended meaning of a coinductive Eq from above. 
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• For each inductive data-predicate D n as above, a data-elimination (i.e. Induction) rule: for each 
formula^ <p = <p [z] , the rule 

D„(t) Cm/7„[<p] 



where 



<p[t] 

D„(t) { (p[c(x 1 ---x r )} } c:ElX ... xEr ^ Dn 



<p[t] 

Here Ef(u) is <p[m] if Z?,- is D„, and is E{(u) otherwise. (These open assumptions are closed by the 
inference.) 

That is, if (p[u\ has the same closure properties under the constructors as D n , then D n {t) — >-<p[t]. 

• For each coinductive data-predicate D n , a data-introduction (i.e. coinduction) rule: for each for- 
mula (p[z], 

<p[t] Dcm n [(p] 

D„(t) (1) 

where 

{cp[x}} 

Dcm n [(p\ = ; 

V { 3zi ■ ■ .z r .(NEi(zi)) A a- = c(z) | c : £1 x • • • x £ r -> D„} 

(Here <2f is defined as for the induction template above.) 

That is, if (p has the same closure properties under data decomposition (i.e. the destructors) as D n , 
then <p[t] ->D„(t). 

Note. Since our approach here is generic to all structures, the bounding condition in the statement of 
Coinduction is necessary. Consider for example the coinductive data W°° of infinite 0-1 words, i.e. the 
coinductive data predicate built from unary function identifiers and 1, considered above. Taking the 
eigen formula (p of Coinduction to be x = x, we would get, absent the bounding condition, Vx VK°°(x), 
which is not valid in models of the intrinsic theory for W. 

From the injectiveness and separation axioms it follows that it is innocuous to use identifiers for 
destructors and discriminator functions, as above. 

Theorem Q] justifies a concept of provable correctness of programs: (P,f) is provably correct in a 
given formal theory if the formula above is not merely true in all data-correct models of P, but is indeed 
provable in the intrinsic theory IT(£F) from (the universal closure of) P, as an axiom. 



4 Corecurrence and strictly-positive coinduction 

4.1 Functions definition by corecurrence 

A function definition by recurrence uses its input by eager evaluation: it consumes the top constructor of 
the input to select the definition-case, and proceeds to consume that constructor's arguments. That is, for 

7 We use the bracket notation <p{t] to stand for the correct substitution in <p of / for the free occurrences of some fixed variable 

z. 
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each constructor c, one has a clause 

f(c(xi...x r ),y) = g c (ei...e r ,y) r = arity(c) e ( - = df f{x i: y) (2) 

Here each g c is a previously defined function of appropriate arity. Using a discriminator case function, 
the template above can be summarized as 

f(x,y) = case(x,e x ...e k ) 

ei = d ff{7ii(x),x) 

(Recall that %i is the i'th destructor.) 

Dually, a definition by corecurrence builds up the output: it produces the top constructor of the 
output, and proceeds to produce that constructor's arguments: 

/»-««.,....,) ; : $g®> o) 

et =df J{gi{x)) 

This template can be summarized by 

f(x) = cocase (h(x), e\ ...e k ) e t = df f(gi(x)) 

where cocase (u,v) returns the main constructor c of u, of arity r say, applied to the first r of the remaining 
arguments v. 

More generally, we use corecurrence to define as above not a single function /, but a vector / = 
(fi ...fk) of functions: 

fj (x) = cocase (h j (x),e 1 ...e k ) e t = df f t . (gij (x) ) 

The distinction in (fSJ) between the recurrence argument and the parameters y disappears in ® because 
the focus of the definition shifts to the output, which plays a role analogous to the recurrence argument 
of the recurrence schema. 

When we have just one constructor, e.g. a binary function cons, the output's main constructor need 
not be specified, and ([3]) can be conveyed by applying destructors to the output: 

7t,{f(x)) = f(gi(x)) f = 0,1 (4) 

Such use of destructors is common in presentations of corecurrence, but it fails to capture corecurrence 
for arbitrary coinductive data. Of course, each case can be coded using streams, just as all inductive data 
can be coded using the natural numbers. 

In our untyped setting the values f(go(x)) and f(g\ (x)) have the same standing. Streams over a finite 
base set A can be construed as a restricted form of (O, with each a € A taken as a miliary constructor, 
and requiring the first argument of cons to be one of these constructors. 

A function over the given data-system is primitive corecursive if it is generated from the constructors 
and destructors by composition and corecurrence. 

Example. Boolean streams form a simple data system of the kind mentioned above: CONS is the unique 
non-constant constructor, which we denote by an infixed colon. The remaining constructs are the nullary 
and 1, and the data-predicates are the inductive (and finite) B (booleans) and the coinductive S (streams). 
The rules are 

S(x:y) S(x:y) 



B(0) B(l) ^ 
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The constructor cons has the the two destructors hd : S — > B and ?/ : S — ^ S. 

Since there is a single non-constant constructor here, corecursion can be formulated using the de- 
structors, as in the template: 

hd(f(x,y)) = g (x,y) 
tl(f(x,y)) = f(gi(x,y),y) 

For example, we can define by corecurrence a function even: 

hd(even(x)) = hd(x); tl{even(x)) = even(tl(tl(x))). 

The function even is productive (i.e. fair, see ll23l l5lD. in the sense that it maps streams to streams. 

More precisely, in every model 3 of the data-system, expanded to interpret even while satisfying its 
equational definition, if S(x) holds for x bound to an element a of 3's universe, then S{even{x)). 

The generic coinduction rule (Q]) specializes for boolean streams to the following. 

{<p[x}} 

: (5) 

<p[t] 3z ,zi.(B(zo)A(p[zi] Ax = zq :z\ 
5(t) 

While corecurrence is dual to recurrence, it is computationally weaker in some ways. Recurrence 
allows coding of computation traces, so that cumulative (course-of-value) recurrence is implementable 
using simple recurrence. In contrast, a cumulative variant of corecursion, using at any given point the 
output stream so far, is not captured by standard corecurrence. For example, the definition of the Morse- 
Thue sequence, x = 1 : merge (x, not {x)), is not a legal corecurrence. 



4.2 Strictly-positive coinduction captures corecurrence 

Consider the intrinsic theory for a coinductive datatype, such as the boolean streams. We call a formula 
strongly positive if built using conjunction, disjunction, and 3 as the only logical operations. A formula 
is unipolar if it does not have both positive and negative occurrences of data-predicates. As mentioned 
in the Introduction above, we know that a function over N is primitive recursive iff it is provably correct, 
using classical logic, in the intrinsic theory for N with induction restricted to unipolar formulas; and also 
iff it is provably correct, using minimal logic, in the intrinsic theory for N with induction restricted to 
strongly-positive formulas. 

Here we prove for the primitive corecursive functions an analog of the latter characterization. For 
concreteness and expository economy, we focus on the data-system 3m consisting of just streams of 
booleans as data-type, and refer to the intrinsic theory for it, based on minimal logic. We write IT + for 
that theory, with coinduction restricted to strictly-positive formulas. 

PROPOSITION 2 If a k-aryf is defined by corecursion from functions provable in IT + , then f is provable 
in IT+. 

Proof. Suppose that / is defined by 



f(x)=g {x) :/(gi(*)) 
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Let (Pojgo) and (Pi 5 gi) be programs (with no common function-identifiers) that are provable in IT + , 
with &o a derivation of B(go(u)) from S(u) and Pq, and <2>\ deriving S(gi (u)) from S(u) and Pi. Consider 
(P,/) where P is Po UPi augmented with the corecursive definition of / from go and g\. Then S(f(x)) is 
derived from S(x) and P, as follows. 

Let <p[z] be the strictly-positive formula 3yS(y) A/(y) = z. Then S(f(x)) is derived from assumptions 
5(jc) and P by coinduction on <p, since the premises of coinduction follow from these assumptions: 

• From S(x) we have S(x) Af(x) = f(x), and so (p[f(x)]. 

• Assuming (p[x\ we have S(y) Af(y) = x for some y, i.e. go (y) -gi{y) = x. ButS(y) implies B (go (y)) 
by ®o, and S{gi (y)) by 9\. Using 3>o and 9 X for u = g x (y), we get from S{gi (y)) that <p[gi (y)]. 
Taking zo = go(y) and zi = g\ (y), we thus have f(x) = zo ■ Zi AP(zo) A <p[zi], concluding the other 
premise of the coinduction. 

□ 



4.3 From coinduction to corecurrence 

We proceed to show the converse of Proposition |2l namely that corecurrence captures strongly -positive 
coinduction. If P is an equational program, let us write IT + (P) for the natural deduction calculus for 
IT + , augmented with the program P in the guise of an inference rulej^] If t = t' is an equation in P, then 

cc[t'] a[t] 



are inferences, where a is any atomic formula. Clearly, a formula cp is derivable in IT + (P) from as- 
sumptions \jf iff (p is derivable in IT + from \ff plus (the universal closure of) P. 

A basic observation is the following, where we refer to the usual notion of logical detours in natural 
deduction derivations fT9"1 . Recall that a logical detour arises when the major premise of an elimination 
rule (for a logical operator) is derived by an introduction rule. 

Lemma 3 1. Every derivation of IT + (P) can be converted to a derivation without logical detours. 

2. If <2> is a derivation of IT + (P) without logical detours, proving a strongly-positive formula from 
strongly-positive assumptions, then every formula in & is strongly-positive. 

Proof. Part (1) is proved as for first-order logic [19]. Part (2) follows by a straightforward structural 
induction, using the fact that coinduction is restricted to strongly-positive formulas, and that the logic is 
minimal. D 

We define a relation S?, rj, a lh q>, i.e. the stream a realizes the formula (p in the interpretation 
(y ,r\) consisting of a model of IT + and of P, and an environment tj in it. The definition is by induction 
on (p. This relation is defined by structural recurrence on the formula (p. For a stream a we define the 
streams a, i > inductively, jointly with the streams a-. The intent is that Go consists of the even- 
positioned entries of a, Oy of the even-positioned entries of the remaining entries, etc. do = even(a), 
(7q = odd(a), a, + i = even(a' i ), a- +1 = odd(a / j ). 

• y, tj, all-S(t)iff a= [[t]]^ )TJ X and C7 G 5^. 



8 This deductive style has been used in research on the Curry-Howard morphism for higher-order logic, e.g. 1101 ; it was 
dubbed "deduction modulo" in |4| and subsequent works. 
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. J?, T] , a Ih t = t' iff a = = p/J^X. 

• y, 77, a Ih (p A q> 1 iff a,- lr-j^ |7J X<p ( -, i = 0, 1. 

• y rj, a Ih <p iff ^ < T], tfa Ih <P/j^ CT . 

• y, r], a\\- 3xcp iff <y, 17 [je := a ], ai Ih <p. 

Lemma 4 j Suppose IT + (P) h A,-^[x] — ><p[x]. Then there is a primitive corecursive function fo such 
that for all models of P, and for all streams T and d, if 

[x:=% CiW-xj/i, 

then 

J?, [x:=t], / (T,CT)lh<p. 

More precisely, there is a primitive corecursive program Pq (which computes f above), such that 
every model of P can be expanded to a model of Pq, where fo has the property above. 

Proof. Let Qi be a derivation of y/[x] — >(p[x] in IT + (P). By Lemma[3]we may assume that @l is detour- 
free, and with all formulas strongly-positive. The Lemma is proved by structural induction on Q). For 
the base cases / is the identity. The cases where the main inference of Ql is a logical rule are immediate 
from the definition of Ih. The cases of Data-elimination rule (decomposition) are immediate since the 
destructors functions are initial primitive corecursive functions. The case of the rewrite rules based on P 
is assured by the fact that 5? is assumed to be a model of P. 

The case of interest is where the main inference rule of is Coinduction (for strongly-positive 
formulas): 

{<p[x]} 

<p[t] 3zo,zi.(B(zo)A<p[zi]Ax = zo : zi ( 6 ) 
5(t) 

By IH applied to the left sub-derivation, there is a primitive corecursive function g(u, v)) yielding a stream 
a realizing <p[t], from an environment u and realizers v for the open assumptions. By IH applied to the 
right sub-derivation, there is a primitive corecursive function h(u,u' ,v,V) yielding a stream realizing 

(p'[x] := 3zo,zi.(B(zo) A<p[zi] Ax = z : zi) 

from an environment u, a stream u' assigned to x, realizers v for the open assumptions, and a realizer V 
for cp[x] in the environment (v,v'). Let j and / be the functions that extract from a realizer for cp' (in a 
given environment) the boolean z = hd(x), and the realizer of zi = tl(x), respectively. 
If u are the variables free in S>, define by corecurrence 

r(u,v,w) = j(w) : r(u,v,j '(h(u,v,w))) 

Thus, if u are streams, and v are realizers for the open assumptions of £F for the environment u, then 

r(u,v,g(u,v)) 



is the value of t, and therefore a realizer of S(t), i.e. the conclusion of [5] 



□ 
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Theorem 5 A function over streams is primitive corecursive iff it is computable by some equational 
program which is provable in IT + . 

Proof. If a function is primitive corecursive then its primitive corecursive definition is provable in IT + , 
by Proposition [2] 

Conversely, suppose / is a function computable by some equational programs (P, f ) which is provable 
in IT + , i.e. there is a derivation of IT + (P) of the formula S(x) — > S(i(x)). From Lemma|4]it follows that 
there is a primitive corecursive program (Po, fo) such that in all models 3* of P, a realizer of S(o), i.e. a 
itself, is mapped by /o to a realizer of S(f (x)), i.e. the value of f (jc) in the structure. Since / is computed 
by P in the canonical structure, the above holds there too, i.e. / is primitive-corecursive in the canonical 
structure. 
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